Category: UNCATEGORIZED

Since it exploded onto the scene in January after a newspaper exposé, Clearview AI quickly became one of the most elusive, secretive, and reviled companies in the tech startup scene.

The controversial facial recognition startup allows its law enforcement users to take a picture of a person, upload it, and match it against its alleged database of 3 billion images, which the company scraped from public social media profiles.

But for a time, a misconfigured server exposed the company’s internal files, apps and source code for anyone on the internet to find.

Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.

The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac, and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.

The repository also exposed Clearview’s Slack tokens, according to Hussein, which, if used, could have allowed password-less access to the company’s private messages and communications.

Clearview has been dogged by privacy concerns since it was forced out of stealth following a profile in The New York Times, but its technology has gone largely untested and the accuracy of its facial recognition tech unproven. Clearview claims it only allows law enforcement to use its technology, but reports show that the startup courted users from private businesses like Macy’s, Walmart and the NBA. But this latest security lapse is likely to invite greater scrutiny of the company’s security and privacy practices.

When reached for comment, Clearview founder Hoan Ton-That claimed his company “experienced a constant stream of cyber intrusion attempts, and have been investing heavily in augmenting our security.”

“We have set up a bug bounty program with HackerOne whereby computer security researchers can be rewarded for finding flaws in Clearview AI’s systems,” said Ton-That. “SpiderSilk, a firm that was not a part of our bug bounty program, found a flaw in Clearview AI and reached out to us. This flaw did not expose any personally identifiable information, search history or biometric identifiers,” he said.

Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

Hussein, who has previously reported security issues at several startups, including MoviePass, Remine and Blind, said he reported the exposure to Clearview but declined to accept a bounty, which he said if signed would have barred him from publicly disclosing the security lapse.

It’s not uncommon for companies to use bug bounty terms and conditions or non-disclosure agreements to prevent the disclosure of security lapses once they are fixed. But experts told TechCrunch that researchers are not obligated to accept a bounty or agree to disclosure rules.

Ton-That said that Clearview has “done a full forensic audit of the host to confirm no other unauthorized access occurred.” He also confirmed that the secret keys have been changed and no longer work.

Hussein’s findings offer a rare glimpse into the operations of the secretive company. One screenshot shared by Hussein showed code and apps referencing the company’s Insight Camera, which Ton-That described as a “prototype” camera, since discontinued.

According to BuzzFeed News, one of the firms that tested the cameras is New York City real estate firm Rudin Management, which trialled use of a camera to two of its city residential buildings.

Hussein said that he found some 70,000 videos in one of Clearview’s cloud storage buckets, taken from a camera installed at face-height in the lobby of a residential building. The videos show residents entering and leaving the building.

Ton-That explained that, “as part of prototyping a security camera product we collected some raw video strictly for debugging purposes, with the permission of the building management.”

TechCrunch could not ascertain from which building the videos were taken. A representative from Rudin Management did not return our emails.

Clearview has come under intense scrutiny since its January debut. It’s also attracted the attention of hackers.

In February, Clearview admitted to customers that a list of its customers was stolen in a data breach — though, it claimed its servers were “never accessed.” Clearview also left several of its cloud storage buckets containing its Android app unprotected.

Vermont’s attorney general’s office has already opened an investigation into the company for allegedly violating consumer protection laws, and police departments have been told to stop using Clearview, including in New Jersey and San Diego. Several tech companies, including Facebook, Twitter, and YouTube.

In an interview with CBS News in February, Ton-That defended his company’s practices. “If it’s public and it’s out there and could be inside Google’s search engine, it can be inside ours as well,” he said.

Despite what companies have said about providing personal protective equipment to gig workers, some workers say they are struggling to get masks, gloves and other items from companies like Target-owned Shipt, Uber, Lyft and Instacart.

“PPE is still a huge issue for us,” Shipt shopper and organizer Willy Solis told TechCrunch. “We have dozens of reports across the country where shoppers have gone to pick up their equipment to be told it’s only for employees. On top of that, Target’s Twitter account essentially said that much.”

Earlier this month, Shipt workers staged a walk-off in protest of Shipt’s treatment of workers amid the COVID-19 pandemic. Around that time, Shipt said it would provide all shoppers with gloves and a mask within the next two weeks. Those shoppers, Shipt said, would be able to pick them up at their nearest Target stores. Shipt said it also would allow its most active shoppers to claim a free kit that included gloves and hand sanitizer. But some shoppers report struggling to pick up the PPE at Target and through the Shipt app.

Shipt declined to comment for this story but pointed us to both Shipt’s and Target’s respective announcements.

Over in Los Angeles, some Uber and Lyft drivers say the rideshare companies have yet to provide them with face masks and other protective equipment. This is in light of LA Mayor Eric Garcetti’s Worker Protection Order, which requires companies to provide essential workers with PPE.

“As an Uber driver, I’m incredibly vulnerable to infection,” Uber driver Deborah Garcia said in a statement. “I transport dozens of passengers every day, and many are the doctors and nurses dealing with coronavirus cases up close. Uber and Lyft love to talk about drivers as heroes on the frontlines, but what does it say about these companies that they’d rather brainstorm clever hashtags than use even a small slice of their billions to keep drivers like me safe? It’s infuriating, and it’s time for our elected officials to take action.”

Uber says it’s begun distributing masks to active drivers and delivery workers throughout the nation, initially focused on New York City and Los Angeles. Active drivers and delivery people in Los Angeles who have requested masks should receive them in the mail by the end of this week, according to Uber.

“This is a long term commitment,” an Uber spokesperson told TechCrunch. “We have ordered tens of millions of masks for drivers around the world and expect another major shipment to the US very soon.”

Uber says it has also started shipping around 30,000 bottles of disinfectant. Lyft, in response to claims that the company is not providing PPE, says what drivers are saying is not true.

“In light of the latest CDC guidance on cloth face coverings, we’ve ordered face masks for drivers at no cost to them,” a Lyft spokesperson told TechCrunch. “We have been making them available to drivers, prioritizing regions where additional guidance about face coverings has been given. This includes LA, where we’ve already begun handing out thousands of face coverings to drivers.”

Lyft began distributing masks last Saturday, and distributed some more this past Monday and Wednesday. Lyft plans to distribute more on Friday. So far, Lyft says it has been able to hand out thousands of masks.

There are also reports that Instacart shoppers are having difficulty obtaining hand sanitizer and reusable face masks, according to The Hill. Instacart says it has been providing shoppers with hand sanitizer since last week and began shipping thousands of kits with face masks, sanitizer and thermometers this past Monday.

Nationwide, there is an understanding that gig workers delivering food and groceries, and providing rides to people during the pandemic are essential. As more cities begin to implement rules requiring people to wear masks upon entering grocery stores, companies will be forced to step up their production and delivery of personal protective equipment to workers.

Energy demand has fallen globally. Oil prices are plummeting. Everywhere in the energy world things look fairly grim, but keeping the lights on and electrons moving remains critical to keeping even the hobbled economies of the world humming.

That’s why startups like Amperon, which use data analysis to provide predictive tools for energy retailers and grid operators, are still relevant — and still raising money.

The company raised $2 million in a round that closed in February before the pandemic hit US shores. And the service, according to co-founder Abe Stanway, is still vital.

“We tell them how much electricity their customers are going to use on a short term and long term basis,” Stanway said of the company’s service. “When these exogenous shocks and black swan events occur we get much more valuable because you need this machine learning in order to understand how the grid is going to behave.”

The value proposition was clear to investors like Blackhorn Ventures, which led the round, and other backers including Garuda Ventures, Intelis Capital, Powerhouse Ventures, SK Ventures, and V1.VC.

“Amperon builds real time operational grid intelligence tools via smart meters and AI for utilities, energy retailers, grid operators, and institutional traders,” said Emily Kirsch, Powerhouse founder and chief executive. “Amperon’s iterative demand forecasting is able to account for never-before-seen grid volatility resulting from a global pandemic, climate disasters, or an increasingly complex grid.”

Amperon is working with four major geographies including Australia’s two major grid regions and the ERCOT regional transmission organization responsible for Texas and PJM, which manages the mid-Atlantic’s electricity grid.

Stanway said the new money would be used to expand the company’s reach across more grid operators in the U.S.

While Amperon’s technology is incredibly useful for utilities and grid operators during times of crisis, it can help save money in normal times too. Long term utility planners typically over-budget their energy needs by 1 percent every year, which adds up to billions of dollars spent on unnecessary additional generation capacity, according to Amperon.

Lower spending means reduced electricity prices for consumers. Another issue that Amperon says it can help energy providers address is the increasing complexity of grid management. Renewable energy generation adds variability to the grid that utilities and grid operators have yet to effectively manage, the company said.

 

On his personal Facebook account, Mark Zuckerberg offered an update on the company’s roadmap for bringing employees back to work in the wake of the coronavirus pandemic.

In the post, he acknowledged that while it might be possible for a small portion of “critical employees” unable to do their work remotely to return sooner, the majority of Facebook’s workforce will be required to continue working from home through “at least” the end of May. The selection of employees Facebook will prioritize for the swiftest return includes content reviewers who scan the platform for things like terrorism and self-harm as well as engineers who work with complex hardware.”…Overall, we don’t expect to have everyone back in our offices for some time,” Zuckerberg wrote.

On a call in the early days of the U.S. response to the virus, Zuckerberg noted that users could expect more false positives in platform moderation with Facebook’s army of at least 15,000 content reviewers sent home. Facebook said it was leaning more heavily on AI moderation to compensate for the lack of human oversight on the platform, a strategy that Twitter and YouTube turned to in the midst of the crisis as well.

Human moderators engage in some of the the social network’s most sensitive work, flagging terrorist activity, suicidal posts, child exploitation and other forms of content with potential legal and psychological consequences.

In his post, Zuckerberg noted that even as additional teams return to the office, employees from populations vulnerable to the virus, those without childcare or anyone with other circumstances that might make their situation difficult can work remotely through the summer months.

Zuckerberg also announced that his company would cancel any in-person events of 50 or more people through June of 2021 and planned to make some of them virtual instead. Facebook will also extend its ban on business travel through this June as the company evaluates the situation.

“… We’re slowing our plans to return to the office in order to prioritize helping the rest of our community and local economy to get back up and running first,” Zuckerberg said.

“We also know that when society does eventually start re-opening, it will have to open slowly in staggered waves to make sure that the people who are returning to work can do so safely and that we minimize the possibility of future outbreaks.”

Online grocery delivery company Instacart is launching a prescription delivery service through a partnership with Costco as demand for online delivery continues to rise amid the COVID-19 pandemic.

The company said Thursday the delivery service is now available from nearly 200 Costco locations in Arizona, California, Delaware, Florida, Illinois, New York, Washington and Washington D.C. The service, which was initially piloted at several locations in Southern California and Washington, will expand nationally in the coming months, the company said.

Customers who use the online prescription service will receive a text message from their Costco pharmacy when their prescription is ready. The text will include a link with the option to schedule their prescription for delivery. Once the customer clicks the link, they will be redirected to Costco’s site. From here, customers can confirm their prescription and continue to add groceries and household goods to their Instacart Costco delivery order. The orders are delivered to customers in a sealed, tamper-proof bag to ensure customer safety and privacy.

Instacart is also offering contactless delivery for most medications. Instacart shoppers are able to scan a customer’s ID for verification without a signature on qualifying prescription orders. Customers are also able to schedule delivery up to one week in advance under the new service.

The new service was driven by demand in the wake of COVID-19, Instacart president Nilam Ganenthiran.

“For many people, we know that part of their grocery shopping experience goes beyond fresh produce, meat, seafood and pantry staples, and also includes getting much-needed medications,” said Ganenthiran.

Instacart has seen demand for its grocery service skyrocket as the COVID-19 pandemic spread. The company’s total order volume last week was 400% higher than the same week last year. Customers are spending more as well. The average customer basket size — meaning the total amount a customer spends on their order on Instacart — is more than 25% month-over-month, according to the company.

The increase in demand has prompted Instacart to expand its reach by adding nearly 150 new stores to its marketplace since March 1. It’s also adding workers to keep up with the increase in customers.

Instacart  announced April 10 that it doubled its “Care” team, from 1,200 agents to 3,000 agents. These employees answer questions about how Instacart works as well as respond to delivery issues and other mishaps with orders.

The hiring news followed a strike in March organized by Instacart shoppers who demanded personal protective equipment, hazard pay, default tips and extended sick pay.

While it quickly became clear that the tech and developer conference held during the spring would need to be cancelled due to COVID-19, tech companies are beginning to pull the plug on events taking place later in 2020.

Today, Facebook announced that it would be shelving the in-person component of its virtual reality-focused Oculus Connect 7 conference due to COVID-19 concerns and would be focusing on a digital format. Facebook hadn’t announced dates for the event, the conference is typically held in late September or early October.

“In light of the evolving public health risks related to COVID-19, we’ve decided to shift Oculus Connect 7 to a digital format later this year,” a company blogpost read. “This was a tough decision to make, but we need to prioritize the health and safety of our developer partners, employees, and everyone involved in OC7.”

Earlier this week, California governor Gavin Newsom said it was “unlikely” that sporting events with fans in attendance would return this summer. While the major tech giants had already cancelled the in-person components of their spring and summer developer conferences, this cancellation calls into question how realistic timelines are for tech events that have been rescheduled from spring to the fall.

Conferences have long been critical to the indie games industry with small studios often using the gatherings to form relationships with publishers. With many of the virtual reality industry’s major events shuttering over the past couple years as hype has waned, Oculus Connect has remained a critical event in the VR community.

As with the cancelation of F8, Facebook says they are making a $500,000 donation that “will prioritize organizations serving local San Jose residents.”

Verizon makes a move into videoconferencing, Jeff Bezos discusses a plan to test Amazon employees for COVID-19 and Apple is reportedly working on new over-ear headphones. Here’s your Daily Crunch for April 16, 2020.

1. Verizon is buying b2b videoconferencing firm BlueJeans

TechCrunch’s parent company is buying veteran videoconferencing platform BlueJeans Network — shelling out less than $500 million on the acquisition, according to the Wall Street Journal. (A Verizon spokeswoman confirmed that the price-tag is sub-$500 million but did not provide a more exact figure.)

“Customers will benefit from a BlueJeans enterprise-grade video experience on Verizon’s high-performance global networks,” the company said in a statement. “In addition, the platform will be deeply integrated into Verizon’s 5G product roadmap, providing secure and real-time engagement solutions for high growth areas such as telemedicine, distance learning and field service work.”

2. Bezos details Amazon’s COVID-19 testing plans in shareholder letter

Jeff Bezos dropped Amazon’s annual shareholder letter today, which includes more information on the Amazon-built testing labs that were announced last week. Bezos said the company is considering “regular testing of all Amazonians, including those showing no symptoms.”

3. Apple said to be working on modular, high-end, noise-cancelling over-ear headphones

Bloomberg reports that Apple is developing its own competitors to popular over-ear noise-cancelling headphones like those made by Bose and Sony, but with similar technology to that used in the AirPod and AirPod Pro lines.

4. Unicorn layoffs keep piling up as the economy gets worse

Yesterday, news broke that a trio of well-known, heavily-backed unicorns — Carta, Zume and Opendoor — were cutting staff.

5. Punitive liquidation preferences return to VC — don’t do it

VC Pascal Levensohn says that several of his current portfolio companies have recently proposed “emergency bridge” convertible note financings of between $5 million and $15 million, each featuring a painful feature for non-participants. (Extra Crunch membership required.)

6. DoD Inspector General report finds everything was basically hunky-dory with JEDI cloud contract bid

While controversy has dogged the $10 billion, decade-long JEDI contract since its earliest days, a report by the Department of Defense’s Inspector General’s Office concluded that the contract procurement process was fair and legal.

7. Google Play adds a ‘Teacher Approved’ section to its app store

All apps found in this section are vetted by a panel of reviewers, including more than 200 teachers across the U.S., and meet Google’s existing requirements (around government regulation and advertising) for its “Designed for Families” program.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

Apple is adding a new Battery Health Management feature to the latest version of macOS Catalina. The arrival of 10.15.5 will bring the new feature, which is designed to increase the overall lifespan of MacBook batteries by reducing the maximum charge in certain instances.

Rather than focusing on things like specific app usage, the feature determines battery health based on charging patterns and temperature history. That means if you’re the kind of users who constantly has their laptop plugged in during use (as a majority of us currently do, thanks to stay at home orders), you may be the prime target.

The feature is designed to primarily operate in the background, though users will be able to toggle it on and off in the Energy Saver Preferences under settings. It’s designed have a limited impact on device charging time. No word on how it will ultimately impact the battery’s lifespan. System performance, on the other hand, should be unaffected.

The feature is rolling out as part of the developer seed today and will be included in the final version of 10.15.5. It’s compatible with all MacBook models sporting Thunderbolt 3.

Google is today announcing a series of policy changes aimed at eliminating untrustworthy apps from its Android app marketplace, the Google Play store. The changes are meant to give users more control over how their data is used, tighten subscription policies, and help prevent deceptive apps and media — including those involving deepfakes — from becoming available on the Google Play Store.

Background Location

The first of these new policies is focused on the location tracking permissions requested by some apps.

Overuse of location tracking has been an area Google has struggled to rein in. In Android 10, users were able to restrict apps’ access to location while the app was in use, similar to what’s been available on iOS. With the debut of Android 11, Google decided to give users even more control with the new ability to grant a temporary “one-time” permission to sensitive data, like location.

In February, Google said it would also soon require developers to get user permission before accessing background location data, after noting that many apps were asking for unnecessary user data. The company found that a number of these apps would have been able to provide the same experience to users if they only accessed location while the app was in use — there was no advantage to running the app run in the background.

Of course, there’s an advantage for developers who are collecting location data. This sort of data can be sold to third-party through trackers that supply advertisers with detailed information about the app’s users, earning the developer additional income.

The new change to Google Play policies now requires that developers get approval to access background location in their app.

But Google is giving developers time to comply. It says no action will be taken for new apps until August 2020 or on existing apps until November 2020.

“Fleeceware”

A second policy is focused on subscription-based apps. Subscriptions have become a booming business industry-wide. They’re often a better way for apps to generate revenue as opposed to other monetization methods — like paid downloads, ads, or in-app purchases.

However, many subscription apps are duping users into paying by not making it easy or obvious how to dismiss a subscription offer in order to use the free parts of an app, or not being clear about subscription terms or the length of free trials, among other things.

The new Google Play policy says developers will need to be explicit about their subscription terms, trials and offers, by telling users the following:

• Whether a subscription is required to use all or parts of the app. (And if not required, allow users to dismiss the offer easily.)
• The cost of the subscription
• The frequency of the billing cycle
• Duration of free trials and offers
• The pricing of introductory offers
• What is included with a free trial or introductory offer
• When a free trial converts to a paid subscription
• How users can cancel if they do not want to convert to a paid subscription

That means the “fine print” has to be included on the offer’s page, and developers shouldn’t use sneaky tricks like lighter font to hide the important bits, either.

For example:

This change aim to address the rampant problem with “fleeceware” across the Google Play store. Multiple studies have shown subscription apps have gotten out of control. In fact, one study from January stated that over 600 million Android users had installed “fleeceware” apps from the Play Store. To be fair, the problem is not limited to Android. The iOS App Store was recently found to have an issue, too, with more than 3.5 million users having installed “fleeceware.” 

Developers have until June 16, 2020 to come into compliance with this policy, Google says.

Deepfakes

The final update has to do with the Play Store’s “Deceptive Behavior” policy.

This wasn’t detailed in Google’s official announcements about the new policies, but Google tells us it’s also rolling out updated rules around deceptive content and apps.

Before, Google’s policy was used to restrict apps that tried to deceive users — like apps claiming a functionally impossible task, those that lied in their listing about their content or features, or those that mimicked the Android OS, among others.

The updated policy is meant to better ensure all apps are clear about their behavior once their downloaded. In particular, it’s meant to prevent any manipulated content (aka “deepfakes”) from being available on the Play Store.

Google tells us this policy change won’t impact apps that allow users to make deepfakes that are “for fun” — like those that allow users to swap their face onto GIFs, for example. These will fall under an exception to the rule, which allows deepfakes which are “obvious satire or parody.”

However, it will take aim at apps that manipulate and alter media in a way that isn’t conventionally obvious or acceptable.

For example:

• Apps adding a public figure to a demonstration during a politically sensitive event.
• Apps using public figures or media from a sensitive event to advertise media altering capability within an app’s store listing.
• Apps that alter media clips to mimic a news broadcast.

In particular, the policy will focus on apps that promote misleading imagery that could cause harm related to politics, social issues, or sensitive events. The apps must also disclose or watermark the altered media, too, if it isn’t clear the media has been altered.

Similar bans on manipulated media have been enacted across social media platforms, including Facebook, Twitter and WeChat. Apple’s App Store Developer Guidelines don’t specifically reference “deepfakes” by name, however, though it bans apps with false or defamatory information, outside of satire and humor.

Google says the apps currently available on Google Play have 30 days to comply with this change.

In Google’s announcement, the company said it understood these were difficult times for people, which is why it’s taken steps to minimize the short-term impact of these changes. In other words, it doesn’t sound like the policy changes will soon result in any mass banning or big Play Store clean-out — rather, they’re meant to set the stage for better policing of the store in the future.

 

One of the avenues currently being pursued in terms of developing an effective treatment for COVID-19 is through the use of convalescent plasma. Basically, that means using the liquid component of blood from people who have had, and already recovered fully from COVID-19 to produce treatments that hopefully translate the antibodies they developed over the course of fighting off the virus to others. The FDA has created a dedicated new website seeking recovered COVID-19 donations, and explaining its potential uses.

Use of convalescent plasma is hardly a new concept: It’s been in use since the late 1890s, in fact, and was employed during the 1918 Spanish flu pandemic, albeit with “mixed results.” Modern methods could help improve the efficacy and potential of recovered plasma as a treatment method, and there are a number of drugs in development that use plasma (both animal and human) as the basic active ingredient of their approach.

The new FDA website around COVID-19 plasma donation defines what it is, and why it’s under investigation as a possible treatment. It also outlines what conditions need to be met in order for an individual to be qualified to donate (no symptoms for at least 28 days prior to donation, or at least 14 days when combined with a confirmed negative lab test for active COVID-19 viral presence), and it directs you to donate via an American Red Cross or local blood center nearby.

Why is so much COVID-19 patient plasma needed, if it’s not yet even proven to be effective in treatment of the virus? Mainly because there are a lot of efforts underway to determine whether it actually can help with efforts to combat the virus, including clinical trials for a number of different treatments, as well as single-patient treatment authorizations through what are known as emergency investigational new drug (eIND) one-off usage approvals from the FDA.

As with every potential treatment and vaccine in development to address COVID-19 at this stage, recovered plasma remains unproven, and it’s unlikely ongoing efforts to study its effectiveness will bear definitive proof one way or another in the near term. Still, there’s a growing need for plasma supplies to help further that work, hence the FDA’s decision to spur more donations with dedicated informational resources like this one.